Clariti Docs
Credentials~15 minutes· medium

Microsoft Active Directory

Identity

Connects to on-prem Active Directory over read-only LDAP(S) to pull user accounts, computer objects, and AD-hygiene findings into Clariti for identity visibility.

What Clariti Collects

What You'll Need

  • A read-only AD service account (no admin rights required)
  • LDAPS reachable on port 636 from the connector host
  • The base DN for your directory (e.g. DC=corp,DC=example,DC=com)
  • ~15 minutes to complete setup

Create a Read-Only Service Account

Log in to a domain controller or a machine with Active Directory Users and Computers (ADUC) installed.

In ADUC, create a new user account dedicated to Clariti — for example svc-clariti-readonly. Set a strong, non-expiring password. This account needs no administrative rights.

Grant the account Read permission on the domain root or the specific OUs you want Clariti to ingest. In ADUC, right-click the OU or domain root → PropertiesSecurityAdd the service account and grant Read and List Contents.

Gather Your Credentials

You will need three values to complete the connection in Clariti:

| Field | Example | |-------|---------| | Bind DN | CN=svc-clariti-readonly,OU=Service Accounts,DC=corp,DC=example,DC=com | | Bind Password | The password you set for the service account | | Base DN | DC=corp,DC=example,DC=com |

The Bind DN is the full distinguished name of the service account. You can copy it from the account's Properties → Attribute Editor → distinguishedName in ADUC, or run Get-ADUser svc-clariti-readonly | Select DistinguishedName in PowerShell.

Enter Credentials in Clariti

Value from vendor consolePaste into Clariti field
Bind DNBind DN
Bind PasswordBind Password
Base DNBase DN

Verify Connection

Click Test Connection in Clariti. A successful connection returns a green checkmark. The connector uses LDAPS (port 636) for all communication — ensure the domain controller's certificate is issued by a trusted CA or that the connector host trusts the domain's CA.

Troubleshooting

  • LDAP_INVALID_CREDENTIALS — Double-check the Bind DN (must be the full distinguished name, not just the username) and the Bind Password.
  • Connection timeout — Confirm port 636 (LDAPS) is open between the connector host and the domain controller. Port 389 (plain LDAP) is not used.
  • Insufficient access — The service account may lack Read permission on the target OUs. Re-check the ADUC permissions and ensure inheritance is enabled.
  • Certificate error — The domain controller's TLS certificate must be trusted by the connector host. Install the enterprise CA certificate in the connector's trust store if needed.